Is it really necessary to secure your entire website with Secure Socket Layer (SSL) ? Before we begin answering that question, let’s remind ourselves why SSL is used in the first place.

SSL is used to secure connections between a user’s computer, and the server of the website they’re browsing. This is a very simplistic explanation, but it sums things up. Ultimately, the point of this technology is to protect data in transit –such as usernames, passwords, credit card information, and the like.

You’ll notice that almost every respectable e-commerce website will secure checkout and payment pages with SSL. This has been standard practice, and it’s to make sure that the data you enter remains encrypted until it reaches the server it’s destined for. Without SSL encryption, this data remains in plain text and can be read or even altered (i.e. man-in-the-middle attacks) by potentially malicious third parties. A good rule of thumb is to never submit any personal data (particularly financial data) over an unencrypted connection.

But the question here is whether site-wide SSL is really required. Let’s ask ourselves a couple of questions…

What would be the cost implication?

Assuming that you’ve already purchased an SSL certificate for your crucial transactional pages, the additional financial cost of extending this to the rest of your website would be nothing. If, however, you purchased the SSL certificate to work on a specific sub-domain (e.g. www.mywebsite.com) and you had other sub-domains within the website, then you’d most likely have to upgrade your certificate or purchase a new one altogether (i.e. a wild-card certificate – *.mywebsite.com).

Cost can be looked at from a non-financial perspective as well. Encryption and decryption takes time. There is a certain processing burden on the server, which could potentially slow your website down somewhat. Depending on the complexity of the functions taking place on your server, the amount of traffic it handles at a particular moment, the amount of data being processed, and other factors, SSL encryption could be quite a burden on both your server and your website’s visitors.

SSL Security on Standard Chartered Bank

What does securing the entire website mean to people?

Let’s not call them users while answering this question.

The most logical foundation to user comfort and security would be to secure forms, and other pages that either output or input any data that could be deemed sensitive to users. Once is authenticated, then it might make sense to secure the entire experience with SSL encryption. Otherwise, a “use when needed” approach might be most efficient. Users can easily be seen as hits, pageviews, and other statistical elements, but what we’re tackling here is the human aspect of it all. Security and privacy are big concerns to people. Regardless of the source or reality of their concerns, SSL encryption does deliver a feeling of security and privacy. The technology has become synonymous with transactional comfort, and it gives people the confidence they need to divulge personal and private information. Do users need this confidence on a website that doesn’t require them to submit personal information? Probably not.

Site-wide SSL isn’t something we recommend by default. It’s very specific to the website, the data being outputted and inputted on it, and the expectation its users have. Users of a fashion blog probably wouldn’t care if the website was secured at all, but site-wide SSL encryption might be a logical requirement for banking websites. Ask yourself the questions we presented above, and if you really feel your entire website needs to be protected, give us a call and we’ll walk you through the process.